1 // SPDX-License-Identifier: GPL-2.0-only
3 * AppArmor security module
5 * This file contains AppArmor dfa based regular expression matching engine
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2012 Canonical Ltd.
11 #include <linux/errno.h>
12 #include <linux/kernel.h>
14 #include <linux/slab.h>
15 #include <linux/vmalloc.h>
16 #include <linux/err.h>
17 #include <linux/kref.h>
19 #include "include/lib.h"
20 #include "include/match.h"
22 #define base_idx(X) ((X) & 0xffffff)
25 * unpack_table - unpack a dfa table (one of accept, default, base, next check)
26 * @blob: data to unpack (NOT NULL)
27 * @bsize: size of blob
29 * Returns: pointer to table else NULL on failure
31 * NOTE: must be freed by kvfree (not kfree)
33 static struct table_header *unpack_table(char *blob, size_t bsize)
35 struct table_header *table = NULL;
36 struct table_header th;
39 if (bsize < sizeof(struct table_header))
42 /* loaded td_id's start at 1, subtract 1 now to avoid doing
43 * it every time we use td_id as an index
45 th.td_id = be16_to_cpu(*(__be16 *) (blob)) - 1;
46 if (th.td_id > YYTD_ID_MAX)
48 th.td_flags = be16_to_cpu(*(__be16 *) (blob + 2));
49 th.td_lolen = be32_to_cpu(*(__be32 *) (blob + 8));
50 blob += sizeof(struct table_header);
52 if (!(th.td_flags == YYTD_DATA16 || th.td_flags == YYTD_DATA32 ||
53 th.td_flags == YYTD_DATA8))
56 /* if we have a table it must have some entries */
59 tsize = table_size(th.td_lolen, th.td_flags);
63 table = kvzalloc(tsize, GFP_KERNEL);
65 table->td_id = th.td_id;
66 table->td_flags = th.td_flags;
67 table->td_lolen = th.td_lolen;
68 if (th.td_flags == YYTD_DATA8)
69 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
70 u8, u8, byte_to_byte);
71 else if (th.td_flags == YYTD_DATA16)
72 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
73 u16, __be16, be16_to_cpu);
74 else if (th.td_flags == YYTD_DATA32)
75 UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
76 u32, __be32, be32_to_cpu);
79 /* if table was vmalloced make sure the page tables are synced
80 * before it is used, as it goes live to all cpus.
82 if (is_vmalloc_addr(table))
94 * verify_table_headers - verify that the tables headers are as expected
95 * @tables: array of dfa tables to check (NOT NULL)
96 * @flags: flags controlling what type of accept table are acceptable
98 * Assumes dfa has gone through the first pass verification done by unpacking
99 * NOTE: this does not valid accept table values
101 * Returns: %0 else error code on failure to verify
103 static int verify_table_headers(struct table_header **tables, int flags)
105 size_t state_count, trans_count;
108 /* check that required tables exist */
109 if (!(tables[YYTD_ID_DEF] && tables[YYTD_ID_BASE] &&
110 tables[YYTD_ID_NXT] && tables[YYTD_ID_CHK]))
113 /* accept.size == default.size == base.size */
114 state_count = tables[YYTD_ID_BASE]->td_lolen;
115 if (ACCEPT1_FLAGS(flags)) {
116 if (!tables[YYTD_ID_ACCEPT])
118 if (state_count != tables[YYTD_ID_ACCEPT]->td_lolen)
121 if (ACCEPT2_FLAGS(flags)) {
122 if (!tables[YYTD_ID_ACCEPT2])
124 if (state_count != tables[YYTD_ID_ACCEPT2]->td_lolen)
127 if (state_count != tables[YYTD_ID_DEF]->td_lolen)
130 /* next.size == chk.size */
131 trans_count = tables[YYTD_ID_NXT]->td_lolen;
132 if (trans_count != tables[YYTD_ID_CHK]->td_lolen)
135 /* if equivalence classes then its table size must be 256 */
136 if (tables[YYTD_ID_EC] && tables[YYTD_ID_EC]->td_lolen != 256)
145 * verify_dfa - verify that transitions and states in the tables are in bounds.
146 * @dfa: dfa to test (NOT NULL)
148 * Assumes dfa has gone through the first pass verification done by unpacking
149 * NOTE: this does not valid accept table values
151 * Returns: %0 else error code on failure to verify
153 static int verify_dfa(struct aa_dfa *dfa)
155 size_t i, state_count, trans_count;
158 state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
159 trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
160 if (state_count == 0)
162 for (i = 0; i < state_count; i++) {
163 if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
164 (DEFAULT_TABLE(dfa)[i] >= state_count))
166 if (BASE_TABLE(dfa)[i] & MATCH_FLAGS_INVALID) {
167 pr_err("AppArmor DFA state with invalid match flags");
170 if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE)) {
171 if (!(dfa->flags & YYTH_FLAG_DIFF_ENCODE)) {
172 pr_err("AppArmor DFA diff encoded transition state without header flag");
176 if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_OOB_TRANSITION)) {
177 if (base_idx(BASE_TABLE(dfa)[i]) < dfa->max_oob) {
178 pr_err("AppArmor DFA out of bad transition out of range");
181 if (!(dfa->flags & YYTH_FLAG_OOB_TRANS)) {
182 pr_err("AppArmor DFA out of bad transition state without header flag");
186 if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
187 pr_err("AppArmor DFA next/check upper bounds error\n");
192 for (i = 0; i < trans_count; i++) {
193 if (NEXT_TABLE(dfa)[i] >= state_count)
195 if (CHECK_TABLE(dfa)[i] >= state_count)
199 /* Now that all the other tables are verified, verify diffencoding */
200 for (i = 0; i < state_count; i++) {
204 (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
205 !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE);
207 k = DEFAULT_TABLE(dfa)[j];
211 break; /* already verified */
212 BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE;
222 * dfa_free - free a dfa allocated by aa_dfa_unpack
223 * @dfa: the dfa to free (MAYBE NULL)
225 * Requires: reference count to dfa == 0
227 static void dfa_free(struct aa_dfa *dfa)
232 for (i = 0; i < ARRAY_SIZE(dfa->tables); i++) {
233 kvfree(dfa->tables[i]);
234 dfa->tables[i] = NULL;
241 * aa_dfa_free_kref - free aa_dfa by kref (called by aa_put_dfa)
242 * @kref: kref callback for freeing of a dfa (NOT NULL)
244 void aa_dfa_free_kref(struct kref *kref)
246 struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count);
253 * remap_data16_to_data32 - remap u16 @old table to a u32 based table
254 * @old: table to remap
256 * Returns: new table with u32 entries instead of u16.
258 * Note: will free @old so caller does not have to
260 static struct table_header *remap_data16_to_data32(struct table_header *old)
262 struct table_header *new;
266 tsize = table_size(old->td_lolen, YYTD_DATA32);
267 new = kvzalloc(tsize, GFP_KERNEL);
272 new->td_id = old->td_id;
273 new->td_flags = YYTD_DATA32;
274 new->td_lolen = old->td_lolen;
276 for (i = 0; i < old->td_lolen; i++)
277 TABLE_DATAU32(new)[i] = (u32) TABLE_DATAU16(old)[i];
280 if (is_vmalloc_addr(new))
287 * aa_dfa_unpack - unpack the binary tables of a serialized dfa
288 * @blob: aligned serialized stream of data to unpack (NOT NULL)
289 * @size: size of data to unpack
290 * @flags: flags controlling what type of accept tables are acceptable
292 * Unpack a dfa that has been serialized. To find information on the dfa
293 * format look in Documentation/admin-guide/LSM/apparmor.rst
294 * Assumes the dfa @blob stream has been aligned on a 8 byte boundary
296 * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
298 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
303 struct table_header *table = NULL;
304 struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL);
308 kref_init(&dfa->count);
312 /* get dfa table set header */
313 if (size < sizeof(struct table_set_header))
316 if (ntohl(*(__be32 *) data) != YYTH_MAGIC)
319 hsize = ntohl(*(__be32 *) (data + 4));
323 dfa->flags = ntohs(*(__be16 *) (data + 12));
324 if (dfa->flags & ~(YYTH_FLAGS))
328 * TODO: needed for dfa to support more than 1 oob
329 * if (dfa->flags & YYTH_FLAGS_OOB_TRANS) {
330 * if (hsize < 16 + 4)
332 * dfa->max_oob = ntol(*(__be32 *) (data + 16));
333 * if (dfa->max <= MAX_OOB_SUPPORTED) {
334 * pr_err("AppArmor DFA OOB greater than supported\n");
345 table = unpack_table(data, size);
349 switch (table->td_id) {
351 if (!(table->td_flags & ACCEPT1_FLAGS(flags)))
354 case YYTD_ID_ACCEPT2:
355 if (!(table->td_flags & ACCEPT2_FLAGS(flags)))
359 if (table->td_flags != YYTD_DATA32)
365 if (!(table->td_flags == YYTD_DATA16 ||
366 table->td_flags == YYTD_DATA32)) {
371 if (table->td_flags != YYTD_DATA8)
377 /* check for duplicate table entry */
378 if (dfa->tables[table->td_id])
380 dfa->tables[table->td_id] = table;
381 data += table_size(table->td_lolen, table->td_flags);
382 size -= table_size(table->td_lolen, table->td_flags);
385 * this remapping has to be done after incrementing data above
386 * for now straight remap, later have dfa support both
388 switch (table->td_id) {
392 if (table->td_flags == YYTD_DATA16) {
393 table = remap_data16_to_data32(table);
397 dfa->tables[table->td_id] = table;
402 error = verify_table_headers(dfa->tables, flags);
406 if (flags & DFA_FLAG_VERIFY_STATES) {
407 error = verify_dfa(dfa);
417 return ERR_PTR(error);
420 #define match_char(state, def, base, next, check, C) \
422 u32 b = (base)[(state)]; \
423 unsigned int pos = base_idx(b) + (C); \
424 if ((check)[pos] != (state)) { \
425 (state) = (def)[(state)]; \
426 if (b & MATCH_FLAG_DIFF_ENCODE) \
430 (state) = (next)[pos]; \
435 * aa_dfa_match_len - traverse @dfa to find state @str stops at
436 * @dfa: the dfa to match @str against (NOT NULL)
437 * @start: the state of the dfa to start matching in
438 * @str: the string of bytes to match against the dfa (NOT NULL)
439 * @len: length of the string of bytes to match
441 * aa_dfa_match_len will match @str against the dfa and return the state it
442 * finished matching in. The final state can be used to look up the accepting
443 * label, or as the start state of a continuing match.
445 * This function will happily match again the 0 byte and only finishes
446 * when @len input is consumed.
448 * Returns: final state reached after input is consumed
450 aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
451 const char *str, int len)
453 u32 *def = DEFAULT_TABLE(dfa);
454 u32 *base = BASE_TABLE(dfa);
455 u32 *next = NEXT_TABLE(dfa);
456 u32 *check = CHECK_TABLE(dfa);
457 aa_state_t state = start;
459 if (state == DFA_NOMATCH)
462 /* current state is <state>, matching character *str */
463 if (dfa->tables[YYTD_ID_EC]) {
464 /* Equivalence class table defined */
465 u8 *equiv = EQUIV_TABLE(dfa);
467 match_char(state, def, base, next, check,
470 /* default is direct to next state */
472 match_char(state, def, base, next, check, (u8) *str++);
479 * aa_dfa_match - traverse @dfa to find state @str stops at
480 * @dfa: the dfa to match @str against (NOT NULL)
481 * @start: the state of the dfa to start matching in
482 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
484 * aa_dfa_match will match @str against the dfa and return the state it
485 * finished matching in. The final state can be used to look up the accepting
486 * label, or as the start state of a continuing match.
488 * Returns: final state reached after input is consumed
490 aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, const char *str)
492 u32 *def = DEFAULT_TABLE(dfa);
493 u32 *base = BASE_TABLE(dfa);
494 u32 *next = NEXT_TABLE(dfa);
495 u32 *check = CHECK_TABLE(dfa);
496 aa_state_t state = start;
498 if (state == DFA_NOMATCH)
501 /* current state is <state>, matching character *str */
502 if (dfa->tables[YYTD_ID_EC]) {
503 /* Equivalence class table defined */
504 u8 *equiv = EQUIV_TABLE(dfa);
505 /* default is direct to next state */
507 match_char(state, def, base, next, check,
510 /* default is direct to next state */
512 match_char(state, def, base, next, check, (u8) *str++);
519 * aa_dfa_next - step one character to the next state in the dfa
520 * @dfa: the dfa to traverse (NOT NULL)
521 * @state: the state to start in
522 * @c: the input character to transition on
524 * aa_dfa_match will step through the dfa by one input character @c
526 * Returns: state reach after input @c
528 aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c)
530 u32 *def = DEFAULT_TABLE(dfa);
531 u32 *base = BASE_TABLE(dfa);
532 u32 *next = NEXT_TABLE(dfa);
533 u32 *check = CHECK_TABLE(dfa);
535 /* current state is <state>, matching character *str */
536 if (dfa->tables[YYTD_ID_EC]) {
537 /* Equivalence class table defined */
538 u8 *equiv = EQUIV_TABLE(dfa);
539 match_char(state, def, base, next, check, equiv[(u8) c]);
541 match_char(state, def, base, next, check, (u8) c);
546 aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state)
548 u32 *def = DEFAULT_TABLE(dfa);
549 u32 *base = BASE_TABLE(dfa);
550 u32 *next = NEXT_TABLE(dfa);
551 u32 *check = CHECK_TABLE(dfa);
552 u32 b = (base)[(state)];
554 if (!(b & MATCH_FLAG_OOB_TRANSITION))
557 /* No Equivalence class remapping for outofband transitions */
558 match_char(state, def, base, next, check, -1);
564 * aa_dfa_match_until - traverse @dfa until accept state or end of input
565 * @dfa: the dfa to match @str against (NOT NULL)
566 * @start: the state of the dfa to start matching in
567 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
568 * @retpos: first character in str after match OR end of string
570 * aa_dfa_match will match @str against the dfa and return the state it
571 * finished matching in. The final state can be used to look up the accepting
572 * label, or as the start state of a continuing match.
574 * Returns: final state reached after input is consumed
576 aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
577 const char *str, const char **retpos)
579 u32 *def = DEFAULT_TABLE(dfa);
580 u32 *base = BASE_TABLE(dfa);
581 u32 *next = NEXT_TABLE(dfa);
582 u32 *check = CHECK_TABLE(dfa);
583 u32 *accept = ACCEPT_TABLE(dfa);
584 aa_state_t state = start, pos;
586 if (state == DFA_NOMATCH)
589 /* current state is <state>, matching character *str */
590 if (dfa->tables[YYTD_ID_EC]) {
591 /* Equivalence class table defined */
592 u8 *equiv = EQUIV_TABLE(dfa);
593 /* default is direct to next state */
595 pos = base_idx(base[state]) + equiv[(u8) *str++];
596 if (check[pos] == state)
604 /* default is direct to next state */
606 pos = base_idx(base[state]) + (u8) *str++;
607 if (check[pos] == state)
621 * aa_dfa_matchn_until - traverse @dfa until accept or @n bytes consumed
622 * @dfa: the dfa to match @str against (NOT NULL)
623 * @start: the state of the dfa to start matching in
624 * @str: the string of bytes to match against the dfa (NOT NULL)
625 * @n: length of the string of bytes to match
626 * @retpos: first character in str after match OR str + n
628 * aa_dfa_match_len will match @str against the dfa and return the state it
629 * finished matching in. The final state can be used to look up the accepting
630 * label, or as the start state of a continuing match.
632 * This function will happily match again the 0 byte and only finishes
633 * when @n input is consumed.
635 * Returns: final state reached after input is consumed
637 aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
638 const char *str, int n, const char **retpos)
640 u32 *def = DEFAULT_TABLE(dfa);
641 u32 *base = BASE_TABLE(dfa);
642 u32 *next = NEXT_TABLE(dfa);
643 u32 *check = CHECK_TABLE(dfa);
644 u32 *accept = ACCEPT_TABLE(dfa);
645 aa_state_t state = start, pos;
648 if (state == DFA_NOMATCH)
651 /* current state is <state>, matching character *str */
652 if (dfa->tables[YYTD_ID_EC]) {
653 /* Equivalence class table defined */
654 u8 *equiv = EQUIV_TABLE(dfa);
655 /* default is direct to next state */
657 pos = base_idx(base[state]) + equiv[(u8) *str++];
658 if (check[pos] == state)
666 /* default is direct to next state */
668 pos = base_idx(base[state]) + (u8) *str++;
669 if (check[pos] == state)
682 #define inc_wb_pos(wb) \
684 wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \
685 wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \
688 /* For DFAs that don't support extended tagging of states */
689 static bool is_loop(struct match_workbuf *wb, aa_state_t state,
690 unsigned int *adjust)
692 aa_state_t pos = wb->pos;
695 if (wb->history[pos] < state)
698 for (i = 0; i <= wb->len; i++) {
699 if (wb->history[pos] == state) {
704 pos = WB_HISTORY_SIZE;
712 static aa_state_t leftmatch_fb(struct aa_dfa *dfa, aa_state_t start,
713 const char *str, struct match_workbuf *wb,
716 u32 *def = DEFAULT_TABLE(dfa);
717 u32 *base = BASE_TABLE(dfa);
718 u32 *next = NEXT_TABLE(dfa);
719 u32 *check = CHECK_TABLE(dfa);
720 aa_state_t state = start, pos;
728 if (state == DFA_NOMATCH)
731 /* current state is <state>, matching character *str */
732 if (dfa->tables[YYTD_ID_EC]) {
733 /* Equivalence class table defined */
734 u8 *equiv = EQUIV_TABLE(dfa);
735 /* default is direct to next state */
739 wb->history[wb->pos] = state;
740 pos = base_idx(base[state]) + equiv[(u8) *str++];
741 if (check[pos] == state)
745 if (is_loop(wb, state, &adjust)) {
746 state = aa_dfa_match(dfa, state, str);
754 /* default is direct to next state */
758 wb->history[wb->pos] = state;
759 pos = base_idx(base[state]) + (u8) *str++;
760 if (check[pos] == state)
764 if (is_loop(wb, state, &adjust)) {
765 state = aa_dfa_match(dfa, state, str);
781 * aa_dfa_leftmatch - traverse @dfa to find state @str stops at
782 * @dfa: the dfa to match @str against (NOT NULL)
783 * @start: the state of the dfa to start matching in
784 * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
785 * @count: current count of longest left.
787 * aa_dfa_match will match @str against the dfa and return the state it
788 * finished matching in. The final state can be used to look up the accepting
789 * label, or as the start state of a continuing match.
791 * Returns: final state reached after input is consumed
793 aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start,
794 const char *str, unsigned int *count)
798 /* TODO: match for extended state dfas */
800 return leftmatch_fb(dfa, start, str, &wb, count);
projects / J-linux.git / blob